GDPR & HIPAA mapping
Why FHIR Consent is rich enough
The FHIR R4 Consent resource is expressive enough to represent GDPR, HIPAA, and DISHA requirements without custom extensions. AJ Consent Manager maps the regulatory concepts directly.
GDPR Article 17 — Right to erasure
When a patient exercises the right to erasure, close the consent window:
"provision": {
"type": "deny",
"period": {"end": "2026-01-15T00:00:00Z"}
}
All access is denied from period.end forward. Patient data remains in HAPI FHIR for the audit trail (GDPR Art. 30) but is inaccessible to all actors.
GDPR Article 5(1)(c) — Data minimisation
Restrict access to specific FHIR resource types:
"provision": {
"type": "permit",
"class": [
{"code": "Patient"},
{"code": "Encounter"},
{"code": "Observation"}
]
}
A consent that permits Patient and Encounter cannot be used to read MedicationRequest — even with a valid Bearer token.
HIPAA minimum necessary
Combine class (resource type) and action (HTTP method):
"provision": {
"type": "permit",
"class": [{"code": "Patient"}],
"action": [{"code": "read"}]
}
Read-only access to Patient resources. Write is denied even for the same actor.
DISHA (India)
The DISHA consent artefact requires a structured list of consentees. Map to provision.actor:
"provision": {
"type": "permit",
"actor": [
{"reference": {"reference": "Organization/hosp-colombo-01"}},
{"reference": {"reference": "Organization/pharmacy-chain-lk"}}
]
}
Each Organization in provision.actor is a DISHA consentee. Access is permitted only for listed organisations.
GDPR Article 30 — Audit trail
Every consent check generates an ATNA AuditEvent:
| Outcome | AuditEvent.outcome | Meaning |
|---|---|---|
| Permit | 0 | Access granted |
| Deny | 8 | Serious failure — access denied |
The audit trail provides the Art. 30 record of processing activities.